Radio Equipment Directive (RED)
The Radio Equipment Directive (2014/53/EU) is an EU regulation governing the placing on the market and use of radio equipment within the European Economic Area. Its Delegated Act 2022/30 — commonly called “RED 3(3)(d)(e)(f)” — adds mandatory cybersecurity requirements for all radio equipment, making it the first EU regulation to enforce security on wireless hardware.
Key Facts
| Detail | Information |
|---|---|
| Base directive | Directive 2014/53/EU on radio equipment |
| Security extension | Commission Delegated Regulation (EU) 2022/30 |
| Articles activated | 3(3)(d) — network protection, 3(3)(e) — privacy safeguards, 3(3)(f) — fraud protection |
| Applies from | 1 August 2025 |
| Scope | All radio equipment: Wi-Fi, Bluetooth, cellular, LoRa, Zigbee, NFC, UWB, GNSS receivers |
| Enforcement | CE marking required — non-compliant products cannot be placed on the EU market |
| Relationship to CRA | Products compliant with CRA are deemed to satisfy RED 3(3)(d)(e)(f) |
What Does RED 3(3)(d)(e)(f) Require?
Article 3(3)(d) — Network Protection
Radio equipment must not harm communication networks or misuse network resources:
- Authenticated communication — Devices must verify the identity of connected networks and peers.
- Secure protocols — TLS 1.2+ or equivalent for all network communication.
- Access control — Default credentials must be unique per device or require change at first use.
Article 3(3)(e) — Privacy Safeguards
Radio equipment must incorporate safeguards to protect personal data:
- Data minimization — Collect only data necessary for device function.
- Encrypted storage — Personal data stored on-device must be encrypted at rest.
- Consent mechanisms — Users must be able to control personal data processing.
Article 3(3)(f) — Fraud Protection
Radio equipment must support features to reduce fraud risk:
- Secure identity — Each device must have a cryptographically verifiable identity.
- Authenticated firmware — Only signed, authorized firmware can execute.
- Secure payment — Devices supporting financial transactions must implement appropriate security.
Which Devices Are Affected?
| Category | Examples | RED Articles |
|---|---|---|
| Internet-connected | Smart speakers, IP cameras, smart home devices | 3(3)(d), 3(3)(e) |
| Wearables | Smartwatches, fitness trackers | 3(3)(d), 3(3)(e) |
| Childcare | Baby monitors, GPS trackers for children | 3(3)(d), 3(3)(e) |
| Payment-capable | POS terminals, NFC payment devices | 3(3)(d), 3(3)(e), 3(3)(f) |
| Industrial IoT | Wireless sensors, LoRa gateways, cellular modems | 3(3)(d), 3(3)(e) |
| Automotive | Connected car modules, V2X equipment | 3(3)(d), 3(3)(e) |
Critical: If your device has any wireless capability (even a Bluetooth chip for configuration), RED cybersecurity requirements apply as of August 2025.
RED vs. CRA
The RED Delegated Act (Aug 2025) predates the CRA full enforcement (Dec 2027), creating a transition period where RED is the primary cybersecurity regulation for wireless devices:
| Aspect | RED 3(3)(d)(e)(f) | CRA |
|---|---|---|
| Applies from | August 2025 | December 2027 (full) |
| Scope | Radio equipment only | All products with digital elements |
| Assessment | Self-assessment against harmonized standards | Tiered: self-assessment to third-party |
| SBOM required | No explicit requirement | Yes, mandatory |
| Vulnerability reporting | Not required | 24-hour reporting to ENISA |
After CRA enters full force, products compliant with CRA automatically satisfy RED cybersecurity articles — but until then, RED is the enforceable standard.
Hardware Compliance Strategy
Meeting RED 3(3)(d)(e)(f) requirements typically requires:
- Secure Boot — Verified firmware chain from hardware root of trust.
- Secure Element — Hardware-based key storage for device identity and authentication.
- Unique device credentials — Per-device cryptographic identity provisioned at manufacturing.
- Encrypted communication — TLS 1.3 with certificate pinning for all wireless interfaces.
- Authenticated OTA updates — Signed firmware updates with rollback protection.
Related Terms
- CRA — The broader EU product cybersecurity regulation that supersedes RED cybersecurity articles from 2027.
- NIS2 — The directive securing organizations; RED secures the wireless products they use.
- Secure Boot — Firmware verification essential for RED compliance.
- IoT — The device category most impacted by RED cybersecurity requirements.